Follow by Email

Tuesday, January 10, 2017

We are thinking of making an online database with all "verified" twitter accounts & their family/job/financial/housing relationships.
In other words, that it was determined to create and publish a database of personal interconnections between verified Twitter users. This database would include information about finances, family connections, cohabitation, jobs and so forth.

Let's look at this statement from two points of view: (1) that WikiLeaks made the statement , and (2) that someone else made the statement and wants us to think WikiLeaks said it.

(1) WikiLeaks made the statement

That, on the face of it, would be galling.

I ask you here, honestly: does everything have to be public?

I can understand Facebook and why they would want to collect their user graph. They protect their users' privacy (although that's far more nebulous, even given their periodic missives, famous missteps, and explanations of policy).

But let's look at the author of the tweet: WikiLeaks. This sounds more like a sinister plot to me. Let's address the main reason for this.

What's all this about WikiLeaks working with the Russians?

Though WikiLeaks may never have dealt directly with the Russian intelligence services, they certainly had to know that release of the data played right into the Russians' hands. It seems pretty clear, given the timing of the release of the Podesta emails, that WikiLeaks understands perfectly the consequences of their actions.

In fact, WikiLeaks' sensitive data releases almost always damage the west and leave Russia unscathed. A visit to the wlstorage.net torrent repository shows us specifically who they target. There are very few Russia-related information troves.

If they released a trove of data on the Russians, it seems clear to me that Assange and many others at WikiLeaks would find themselves sipping Polonium-210-laced tea like that ill-fated ex-KGB whistleblower Alexander Litvinenko. Bad press for the Kremlin (in his case, looking into the assassination of Russian journalist Anna Politkovskaya) is generally punished by death in Russia. Dig too deeply and you'll discover, much to your chagrin, that it's your own grave you have dug.

Let's just say for a moment that WikiLeaks are enemies of the west. Then this is completely consistent with publishing a database of who is related to who, what their jobs are, how much they make, and where they live. This process, called doxing enables people and organizations with malicious intent to get handles on people they want to attack. If this were true, the database WikiLeaks apparently would want to publish is, in fact, an analog of the human flesh search engine.

This kind of data would be of immense use to the Russian intelligence services, such as the FSB. So it certainly seems plausible to me that WikiLeaks was behind the tweet. But what about the other possibility?

(2) Someone else made the statement and wants us to think WikiLeaks said it

Did they even say it? It was tweeted by the WikiLeaksTaskForce, the Official WikiLeaks support account. It is explicitly intended to "correct misinformation about WikiLeaks".

Very soon after the original tweet, which has since been deleted, WikiLeaks itself tweeted the following:

Media note: @WikiLeaks is the only official account of WikiLeaks. No other accounts are authorized to make statements on @wikileaks behalf.

So the narrative might be that some troll joined (or hacked into) WikiLeaksTaskForce and posted the tweet to spread false information.

Its not unlikely at all that someone would want to discredit WikiLeaks. After all, their business is to enable whistleblowers by providing foolproof ways to release sensitive information. So anyone that has been damaged (or may be damaged) certainly has the motivation to discredit WikiLeaks. This is a big list of people, like John Kerry, Hillary Clinton, and organizations, like Bank of America, the American Intelligence community, and so on.

Tom properly discredit WikiLeaks, they would plausibly possess the means to accomplish the database in question. To assess that, we must first know exactly how WikiLeaks works.

How does WikiLeaks work?

Their primary modus operandi, I believe, must generally be given by the following steps:

accept large corpora of whistleblower information

put it onto an air-gapped network

strip it of all attribution, which entails editing it

separate it into bins of sensitivity

encrypt and encapsulate (using BitTorrent) the bins for transport

upload the information on wlstorage.net

get other sites to mirror the information

periodically release keys for the purpose of disseminating the information a bit at a time

They would use an air-gapped network to prevent anyone from hacking into them, which is definitely possible. They would want to isolate the sensitive data to completely control what is done with it and where it goes.

The stripping of all attribution information, including email headers and telltale references is done to protect their sources. This may involve redaction of information that can hurt innocent parties. But also look at this on the face of it: they are intimately acquainted with the forensics of data present in email headers.

They have admitted that they separate the data into bins of sensitivity so they can control the impact of the releases. After all, the idea that some information is more sensitive than others is a natural consequence of the information itself. But they might also want to keep the most inflammatory information as a deadman switch. Such information can be released if Assange is killed, for instance. This was demonstrated recently when, in October 2016, Ecuador cut off Julian Assange's Internet access. Soon thereafter, WikiLeaks tweeted hashes to various troves of information, aimed at John Kerry, Ecuador, and the UK FCO. So it's a virtual certainty that Assange has deadman switches.

Their favorite method of leak data storage is by encrypted, encapsulated databases, posted as a single file. This is so they can withhold the release of the data, processed using AES 256-bit encryption, until a later date, without withholding the data itself. Often, the files are hundreds of gigabytes in size, so they use BitTorrent as their transport. The file names often contain the word "insurance". This also corroborates the theory that the files constitute a deadman switch: if Assange or another key-holding WikiLeaks person is killed, then keys may be released by the others in retribution.

After the data is packaged, it is then uploaded to wlstorage.net, a storage site run by WikiLeaks that promotes mirroring. Unfortunately, from time to time, this data has often included malware which gets cleaned up, generally as soon as it is discovered.

Once there, any number of sites mirror the WikiLeaks databases. This includes CableDrum, and many other sites. This measure of redundancy prevents any single site from simply being destroyed to prevent the sensitive information from being released.

When WikiLeaks releases a trove of information, they simply need to release the AES 256-bit (64 hex digit) key. This allows anybody having access to any of the mirror sites to decrypt the information and begin the process of data mining it. Usually this means the press.

How does WikiLeaks modus operandi make the tweet more plausible, specifically?

First, because WikiLeaks is known to accept large corpora of hacked data, who says they haven't been able to get ahold of the verified Twitter database? If it's not plausible, then this tweet is a call to arms for the many hackers out there who need the cred that would stem from such a successful attack.

Second, because WikiLeaks is adept at stripping attribution information from email, metadata from photographs, wrappers from tweets, and other media, they are the perfect institution to be able to make use of that attribution information, symmetrically, to work against the "system".

Third, knowledge of encryption and the limits of its usefulness means they must also be knowledgeable about decrypting and cracking such information. They have a milieu of hackers that they are in regular contact with, certainly. They are trusted by hackers because it is WikiLeaks specific mission to protect them. They need to know what can and can't be cracked so they can keep their publicly available information troves secret from the most capable intelligence agencies in the world.

How does the tweet discredit WikiLeaks, specifically?

The ghastly specter of Big Brother looms over the tweet, that some clandestine organization is gathering information on all of us. This makes WikiLeaks the new NSA, the new GCHQ. Which makes those two organizations the ones most likely to discredit Assange.

Do they really need discrediting?

Currently their leader Julian Assange had been holed up in the Ecuadorean Embassy in London for 4 years and 7 months. This is because he has been granted asylum by Ecuador. Assange suspects that he will be extradited to the US to face charges under the Espionage Act of 1917. This could net him 45 years in a supermax prison, and potentially the death penalty.

Assange is also wanted for "lesser degree rape" in Sweden, a charge that will not expire until 2020.

Saturday, December 17, 2016

I have read that Android's success is a direct result of Apple's iOS being a walled garden. Let's look at this statement now from two different angles. First, is the walled garden really bad? Second, is this the real reason that Google and Microsoft are actively developing their own hardware?

Is the walled garden really bad?

Apple curates the apps that are allowed into the App Store. This has demonstrably reduced malware compared with Android. Recently, a form of malware, called Gooligan, was found to be present in about 100 apps. It is present in about one million phones in the wild, and increasing at a staggering rate of about 13,000 smartphones per day. I would actually say curation is a plus. So, what is it that people prefer about the Android operating system?

Talk about dubious value. Being able to root Android means (in hacker parlance) the phone can be rootkit'd. In plain English, it means that apps can enter superuser mode and obtain administrative privileges on your smartphone. Once that happens, they can reconfigure your device, redirect its output, and install their own choice of apps. In other words, you are exposed to malware that can steal your passwords, the money in your bank accounts, access your email, snapchat photos, microphone, track your location, keep logs of your text messages, listen in on your phone calls, and essentially every bad thing you can imagine. Malware on Android is a critical problem right now.

Your average consumer should never, ever root their phone. It's only for hackers, spies, and criminals to take advantage of you. What this represents is Google not looking out for you.

Now let's look at how pleasant rooting is on Android. Why should you root your phone? This article spells it out perfectly (while detailing how complicated, dangerous, and potentially undesirable the rooting process can be). The main reason that people want to root their phones is to get rid of the bloatware that's typically installed by the manufacturer (Samsung, for instance). Welcome to the same problem we had in the last millennium with PCs: shovelware. This is how they differentiate their phones from each other in the Android ecosystem -- the same way vendors used to differentiate their PCs in the Wintel ecosystem. But, in comparison, it's a fact that Apple now allows you do delete the pre-installed apps you don't want on iOS 10, without rooting your phone.

Many users want to bypass the complexity of using Terminal to obtain superuser mode on the phone's Linux kernel to change various privileges. Hey: what consumer would want to do that? So they buy rooting software to do it. Can you trust that software? No. In July 2016, rooting software was reported to have installed malware on 10 million Android handsets.

And, by the way, each manufacturer's phone has a different rooting process due to the security bloatware they've installed. Joy.

Non-proprietary software formats

This means that, unlike iOS apps, which are available only through Apple's own App Store, Android apps are available from several sources. The Google Play Store is not the only place you can buy and install Android apps. There are many alternatives, including Amazon Appstore for Android, SlideME, 1Mobile Market, Samsung Galaxy Apps, Mobile9, Opera Mobile Store, etc.

Is this a good thing? It does open up multiple sources for Android apps that run on various smartphones.

But what are the downsides of multiple app stores?

The first problem is fragmentation. Each Android smartphone has a different hardware configuration, which turns out to make the app developer's life hell. Each smartphone has a different screen configuration, for instance. Before buying an app with a specialized purpose, like using the GPS, or a game app with high demands, it's important to decide if that app will run properly on your phone. This is precisely why smartphone manufacturers have been building their own app stores -- not all apps in the Android ecosystem run on every phone.

The second problem is trust. Can you trust the app you download to be free of malware? You would like to know that the App Store you are using is checking for malware. Fundamentally, if they do not have access to the app's code, app stores cannot protect you from malware. What happens is this: you download an app, as it runs, it loads and install malware from some server somewhere. This installs Gooligan.

Nowyou find new apps simply appearing on your phone. This happens because ratings are actually steered by app companies through the use of the Gooligan software. Gooligan installs itself, initially, for the purpose of buying apps it wants you to buy, forging your approval to buy them (and possibly spend money on them) and then rating them highly. These apps can be installed because Gooligan can obtain system privileges. Usually this happens because you enter the admin password for your machine. Perhaps it's to give the app privileges to install some fontware or customization feature. These new apps it installs potentially contain the real malware, because you do not have a choice nor can you control where they come from.

Customizable interface

Really? Can't you customize the interface of an iPhone? You can customize the wallpaper and the lock screen photo. If you want to go further, you can use customization apps like Pimp Your Screen, Call Screen Maker, iCandy Shelves & Skins, Pimp Your Keyboard, and so forth.

On Android, you should ask yourself how much you want customization. After all, it might come with malware.

Oh, cost!

One of the main reasons that people prefer Android is the cost of the phone. Which really has nothing to do with Android. Actually, cost is normalizing because deals with carriers are being made that pay for the phone up front, in exchange for locking you into the carrier for two years (usually). But this applies to all phones now. So, cost is not as much a reason as it used to be. But the plain fact is that, without a carrier deal, Apple's iPhones do cost more.

Why Google and Microsoft are developing their own hardware

Second, is that even the reason that Google and Microsoft are developing their own hardware? No, it isn't. The real reason is profit envy. The price of software has been dropping quickly since the App Store was created. This means it's harder for software-only companies to keep operating margins high. Think Microsoft, who has gone to subscription software to guarantee upgrade revenues, amidst unpopular OS upgrades, like Vista. The profitable niche, mobile devices, must look pretty good to them. Should they merely license OS to hardware manufacturers, like Windows? Will that work? No. Google gives Android away for free: upgrades don't cost anything. So nobody will buy Windows Phone if it costs money. Also, hardware and software both need to be upgraded.

The real reason is that, given that software is becoming essentially free, to make the profit you must make your own hardware. Also to make the hardware work best, you must develop custom software. In fact, the best features require both hardware and software to make them work.

This tight vertical integration is why Apple reaps well over 90% of the profits in the smartphone industry year after year. They sell their own hardware. That, and their profit margin is about 40%.

Value proposition

So, why are people willing to pay a premium price for iPhones?

As always, the price is paid based on the value perceived. The value of better user experience on iOS, easier installs, significantly better privacy and security, and great design is huge. It leads to unprecedented user satisfaction ratings and loyalty. People pay for this, and enjoy the rewards.

Apple devices, on the whole, are more up to date than Android devices. Here is a chart of Android OS versions as of September 13, 2016 and their share on smartphones. It clearly shows the latest version, Marshmallow, at 18.7% installs. And on iOS? As of November 27, 2016, 63% of iOS devices have upgraded to iOS10, 29% are running iOS 9, and 8% are running earlier versions. Get the latest stats on Apple's App Store page.

Tuesday, November 8, 2016

Analysts are not always a savvy breed. In fact, sometimes they are downright stupid. Their general types of stupidity can be broken down into classes. I'll just name a few.

The first class, show offs, often throw around terms like disruption, logistics, zero-inventory and so forth without actually knowing their implications. Showing off is a pointless pretense of prowess, unless it shows valuable insight. Usually this class misses the forest for the trees.

The complainers just have axes to grind about their specific issues. They consider their beefs to be of paramount importance while ignoring the majority of users. A specific kind of complainer is the port complainer. They have whined about their disappearing serial port, FireWire port, headphone jack, and old-style USB port. But, hey, things change. It's disruption in action. Old media becomes obsolete, like vinyl records, cassette tapes, and CDs: this is because media is now delivered online. Cords disappear and wireless connections dominate: this is because virtually all updates are now accomplished over-the-air (OTA).

The feature creatures are typically Windows people who just care about feature lists and spec bullet points. They count ports, processors, gigaHertz, and keys on the keyboard. They are the ones that think shovelware makes for good workflow. If they actually use the features that they write about then they would know better. It's the user experience that leads to user satisfaction and commands user loyalty.

I don't want to forget the price people. To them price is everything. Forget about surprise and delight, user experience, or even quality! I can't tell you how annoying these people are. Their inevitable assertion is that the cheapest product always wins, which as we know already is totally wrong. Even if you're selling refrigerators! It's the product that gives the best value that wins. If you get into a price war, you've already lost.

The market share obsessors are yet another class of flawed analysts. To them, it's only about units, no matter if these units are only used for limited purposes, left in a drawer, or even if they are catching fire. They totally avoid the issue of who is actually profiting and thus who will see the consistent growth. For instance, Apple has 12.1% of the smartphone market yet makes 104% of the profit. Yet Android has 87.5% market share. How can this be? The Android hardware makers' profit is largely negative. Yep - they are losing money.

The software profiteers subscribe to the 90s Microsoft model: just build the software and let other idiots kill each other making cheaper and cheaper hardware; there's no profit in hardware, right? Wrong! If there's no profit in hardware then who is going to make it? By the way, the hardware makers often want their own unique look, defeating the standardized software. Also consider that software prices are plummeting. With the introduction of the App Store, Apple has turned software into a $2 commodity. This has forced the software profiteer into the subscription model.

Finally I give you the walled garden haters. These are descended from the people who like to build their own computers and hack them. They want freedom from carriers, authoritarian systems, and so forth. They want to pwn their hardware. In their minds all software is free, regardless of the time and effort expended by software developers. This class doesn't fundamentally grok the concept of an ecosystem, along with why ecosystems are essential to the survival of modern hardware. The hubris of these haters is in ignoring that hacking, device security, and identity theft has become the defining crucial problem of our time. All this for one reason: walled gardens are inherently more secure. IT people have long ago figured this out.

It's disappointing to find that so many analysts are last-millennium-thinkers, and they have themselves become disrupted. They're still betting on Microsoft for God's sake! Don't let their investment firms get ahold of your portfolio!

Sunday, September 25, 2016

While we were being distracted by the Yahoo half-billion-user data breach, within the last few days, Krebs On Security, a blog which I often reference here was slammed with a distributed denial-of-service (DDoS) attack of gargantuan proportions, literally silencing the blog. This was after the venerable Brian Krebs published papers on the vDOS owners. vDOS is an attack-for-hire service hosted in Israel.

Hey, what a surprise, after Krebs, a well-known security blogger (and researcher) made the people behind the attack-for-hire service also well-known, he was himself targeted by the world's largest DDoS attack! These are rich teenagers - they earned more than $600,000 (well, in Bitcoin!) in two years. Apparently their service is in great demand.

How do we know this? Oh it figures - vDOS got hacked and their client base was fully extracted and published (this is known as being "doxed", a term which I sometimes use). And Krebs obtained the information in July. This, and the fact that the FBI took notice, is why those cyber-criminal-teenagers Itay Huri and Yarden Bidani (known as AppleJ4ck) were arrested in Israel.

It's possible that these teenagers, after being arrested in Israel, were simply drafted into the Israeli Defense Forces (IDF), because they are both 18 years old (my speculation). Now they can't use the internet for 30 days.

Wow! I was sure it was just going to be a slap on the hand for these two.

Seriously, I hope they can be extradited to the US for prosecution.

The curious thing is that the documents Krebs found indicated that vDOS was literally responsible for the majority of the DDoS attacks on the web, and that the number of packets and data sent might indeed have been Internet-crippling. Apparently DDoS attackers are now taking over personal home routers and using them to accomplish their attacks, which can result on a MUCH larger number of packets being sent because literally anybody can be sending them.

When a security blog gets hit and you are temporarily in the dark about a current threat, you will need to refer to some other security blogs. Here is a decent list.

If you get hacked, you can find out if your data was included in a recent massive breach at haveibeenpwned.com.

If you have more serious concerns, there is a company, terbiumlabs.com, that can persistently search the dark web for your personal info. The info you enter is encrypted on the client side (open your computer) so even they don't know what you are searching for. This is particularly useful for corporate customers, when they're breached, and also for companies monitoring their information security (infoSec).

Monday, August 15, 2016

It seems the Oracle MICROS malware insertion hack went a bit deeper and had a suspicious purpose. Several hotels in the US, run by HEI hotels and resorts, that run the MICROS points-of-sale and hospitality software, have been breached. This means the credit card info for lots of people has been compromised. The list of dates affected by the breach indicate that the MICROS hack went in as early as March, 2015!

It is curious that the Westin City Center in Washington D.C. was included in the list, and was compromised for more than 9 months following September, 2015. This amounts to total operational awareness for whoever is running the breach. Let's admit it: if you wanted to know what is happening in US politics, what better way than to own than the comings and goings in Washington D.C.? I suspect FSB, the entity that has replaced the infamous Russian KGB.

I doubt we have seen a complete list of breaches with MICROS. If you are an IT person, visit Krebs on Security for a good list of IOCs (indicators of compromise). If you use MICROS, then change your passwords immediately.

This, once again, speaks of a state actor attempting to disrupt American politics.

But there are still a few hacks that can't be assigned easily to state actors. The recent data breach of Sage software, based in the UK, used for accounts and payroll processing, indicates that hackers are still largely following the money.

My sense is that data compromise is perpetrated on an agenda rather than simply because "people have the right to know", the tired axiom used by the media to depict crusading whistleblowers.

More often than not we are seeing criminals looking for ways to pry money out of rich people. Or directly from banking systems. But that might simply be a cover for state actors, who are building a database much deeper than Google's. And for much darker purposes.

And Now For Something Completely Disastrous

In today's news is another story that strongly correlates to the awful scenario in which the NSA's reputed-to-exist Equation Group has been hacked. This group is responsible for Stuxnet, Duqu, Gauss, and other famous modular virus architectures used to hack, among other victims, the Iranian uranium centrifuges.

Here is an example of a state actor being hacked. My fears for the Gauss modular virus architecture used to be that it would get reverse engineered and modified by less scrupulous hackers. Now my fears are that essentially every hacker will possess this toolkit. Some eastern European hacking consortium will productize it, make it easy to use, and disseminate it for bitcoins. It's a virtual Pandora's Box.

Update: The Equation Group hack appears to heavily utilize RC5 and RC6 encryption. Comparison of the code by Kaspersky's GReAT team shows it matches the Equation Group's signature. It's all wrapped up in the magical P and Q constants used by Rivest's RC5/6.

Tuesday, August 9, 2016

Updated: five more point-of-sale systems breached. More info on how long the breach existed. And yet more info on where the compromises might have hit you. More identity information for Carbanak.

Did you ever get a message in a email that says: "We're letting you know your card may have been part of a compromise at an undisclosed merchant."? And not to worry because "We're Issuing You a New Card To Help Keep Your Information Safe". In title case, no less (thanks, daring fireball, for that link).

Apparently the time has come when data compromise becomes huge. Anybody who watches Mr. Robot probably knows that credit card hacking is a serious issue, and can get much more serious. We keep closing insecure points as they are discovered, of course. But, it seems, there are still plenty of ways to get into our credit card data stream.

One such way is through the Oracle MICROS system that handles point-of-sale transactions with credit cards (specifically at restaurants, delis, and hospitality points of sale). Apparently it is possible to rootkit these transaction processors, take control of them, and capture your name, credit card number, and secret code as it goes by. And, of course, send that data to the identity thieves.

According to Krebs on Security, malware was placed on some internal Oracle server at their retail division. They thought it was just a small number of systems until they upgraded their security software to a new version. And at that point, they realized more than 700 systems were compromised! From there, it spread into the MICROS point-of-sale processors that accept your credit card and verify little things like that little gold chip on it. That was supposed to make the credit card SO much more secure.

The bottom line for us, the customers, is that the breach was detected only on July 25, 2016. And here's the catch: they don't really know how long it's even been active. Could be months.

Update: Bad news! There is info from HEI hotels that the breach might have existed since March, 2015.

Who Did It?

This is a very sophisticated hack. This was no script kiddie.

Apparently the Carbanak cybergang is responsible. According to Kaspersky, they stole $1B by attacking bank system intranets in an advanced persistent threat (APT) campaign culminating last February. This gang is a big time threat, and we have stumbled onto one more page in their playbook.

It gets even more interesting. Carbanak is connected to a Mr. Tverinov, as reported by Krebs, and supported by the sleuthing of Ron Guilmette. Artim Tverinov is CEO of InfoKube, a Russian security firm, that builds the LioN anti-virus application. A Trojan horse?

It's not rocket science - Krebs, while communicating with the shadowy Mr. Tverinov through the Vkontakte Russian social-media site, literally eye-witnessed Tverinov's Vkontakte page get deleted! This was followed by a direct-email denial of any and all wrongdoing.

This would have occurred at a chain restaurant, or perhaps a modern restaurant that is taking advantage of modern technology. And you would have used your credit card to pay. Unfortunately, this is not too unlikely a scenario, is it?

You might have seen a colorful point-of-sale display on a tablet or monitor (like this one) at a restaurant, hotel, deli, charcuterie, or even a burger chain.

Update: Forbes, in the same article as the above update, reports that your credit card might have been compromised at Donald Trump's Hotel group, Hyatt, Kimpton, or one of 1000 Wendy's restaurants. Also consult the list of hotels in the HEI list.

The Big Android Hack

Qualcomm GPUs and kernel modules are vulnerable to being rootkit'ed. This involves a huge number (900 million) Android devices. They are called the QuadRooter vulnerabilities, as explained by security researcher Adam Donenfeld in his blog post. This affects the Samsung Galaxy 7, the most popular Android device.

Sunday, July 24, 2016

One of the fastest changing landscapes on the planet isn't even a tangible one. It's more of a concept: security. Before we go on, for dear readers confused by modern hacker security terms, check out Kaspersky.

You especially don't want anyone to rootkit your computers! Once that's done, they can steal your identity, install malware for collecting passwords and account names, and so forth. Now go to the next level: your computer might then be used as part of a DDoS attack against Homeland Security. Your computer could wind up as the storage location for the malicious actors' illegal data ... without your knowledge. You become their fall guy.

Yes, there are plenty of good reasons for all of us to keep our passwords safe and distinct.

But encryption is not all black and white, is it? And that's the rub. Enter the relativistic observer, to tell you some of the latest. Things are changing too fast to blink, after all.

It's long been known that people outside the law use the Dark Web to organize, proliferate, distribute, and communicate. And the Dark Web is run using the Tor network. Tor, short for The Onion Router, is a volunteer network of servers running special protocols that relay your browsing history and other data through virtual tunnels.

To be fair, the Tor project has lofty goals. And gets used by "family & friends, businesses, activists, media, and military & Law Enforcement", according to their web site. The US Navy uses Tor for open source intelligence gathering, for instance. The EFF suggests using Tor for maintaining secure correspondence and keeping our civil liberties intact.

For people operating outside the law, the Tor network also maintains their OpSec. The Dark Net is called this because the communication within it has "gone dark". Surveillance doesn't work there.

The Tor network and the Dark Web must be a real pain to law enforcement. Given enough desperation, it might be something they would seek to infiltrate.

So what law enforcement would do is this: create their own honeypot counterfeit Tor server (or relay). But put in their own undetectable flavor of malware. Then they can watch the criminal's Dark Net traffic. And watch the crime happening. Collect the privileged conversations.

There is a question as to how invasive such investigations should be allowed to be. I'm not saying that the FBI shouldn't go after child pornographers; they totally should. I just think that *everybody* is too broad a target for law enforcement. Privacy is a basic human right.